Hi All,
Recently we installed a new squid proxy (squid-2.5.STABLE12-18.9 on SuSe 10) with LDAP authentication. Earlier we had a squid proxy with ldap authentication. That time, both LDAP and squid were running on the same server and everything was fine. Now we installed a new linux server and moved the squid service to it. LDAP is running on a different server. Many users are now complaining that they are not able to browse. Ever since I migrated all users to this new proxy server, we are getting the following errors in /var/log/message file. The same messages are displayed in /var/log/squid/cache.log
Feb 17 11:32:21 proxy squid[9869]: aclMatchExternal: ‘fullaccess’ queue overload. Request rejected.
Feb 17 11:32:21 proxy squid[9869]: aclMatchExternal: ‘restrictedaccess’ queue overload. Request rejected.
Feb 17 11:32:21 proxy squid[9869]: aclMatchExternal: ‘deniedaccess’ queue overload. Request rejected.
Feb 17 11:32:21 proxy squid[9869]: aclMatchExternal: ‘fullaccess’ queue overload. Request rejected.
Feb 17 11:32:21 proxy squid[9869]: aclMatchExternal: ‘restrictedaccess’ queue overload. Request rejected.
Feb 17 11:32:21 proxy squid[9869]: aclMatchExternal: ‘deniedaccess’ queue overload. Request rejected.
Feb 17 11:32:21 proxy squid[9869]: aclMatchExternal: ‘fullaccess’ queue overload. Request rejected.
Feb 17 11:32:21 proxy squid[9869]: aclMatchExternal: ‘restrictedaccess’ queue overload. Request rejected.
Feb 17 11:32:21 proxy squid[9869]: aclMatchExternal: ‘deniedaccess’ queue overload. Request rejected.
Feb 17 11:32:21 proxy squid[9869]: aclMatchExternal: ‘fullaccess’ queue overload. Request rejected.
In cache.log these lines are also displayed.
WARNING: All deniedaccess processes are busy.
2009/02/17 11:34:40| WARNING: up to 5 pending requests queued
2009/02/17 11:34:40| Consider increasing the number of deniedaccess processes to at least 10 in your config file.
2009/02/17 11:34:44| aclMatchExternal: ‘fullaccess’ queue overload. Request rejected.
2009/02/17 11:34:44| aclMatchExternal: ‘restrictedaccess’ queue overload. Request rejected.
2009/02/17 11:34:44| aclMatchExternal: ‘deniedaccess’ queue overload. Request rejected.
Here is my external acl definition.
#eDir full Internet access
external_acl_type fullaccess %LOGIN /usr/sbin/squid_ldap_group -d -b “o=org” -B “o=org” -D “cn=squidproxy,ou=services,o=org” -w “” -s sub -h 10.10.10.3 -f “(&(objectclass=groupOfNames)(cn=%a))” -F “(&(&(objectClass=Person)(cn=%s))(groupMembership=cn=proxyfullaccess,ou=groups,ou=services,o=org))” -Z
#eDir deny Internet access
external_acl_type deniedaccess %LOGIN /usr/sbin/squid_ldap_group -d -b “o=org” -B “o=org” -D “cn=squidproxy,ou=services,o=org” -w “pass” -s sub -h 10.10.10.3 -f “(&(objectclass=groupOfNames)(cn=%a))” -F “(&(&(objectClass=Person)(cn=%s))(groupMembership=cn=proxydenyaccess,ou=groups,ou=services,o=org))” -Z
#eDir limited Internet access
external_acl_type restrictedaccess %LOGIN /usr/sbin/squid_ldap_group -d -b “o=org” -B “o=org” -D “cn=squidproxy,ou=services,o=org” -w “pass” -s sub -h 10.10.10.3 -f “(&(objectclass=groupOfNames)(cn=%a))” -F “(&(&(objectClass=Person)(cn=%s))(groupMembership=cn=proxylimitaccess,ou=groups,ou=services,o=org))” -Z
This was the same configuration we had in our earlier setup and it was working fine. Please suggest me what should be the root cause for this and help me in resolving this.
Thanks in Advance,
Vinukaimal